Page 1 of 1

Securing your Bludit site with HTTP

Posted: Thu Oct 06, 2016 11:31 pm
by mxm
Did you check your Bludit site with https://securityheaders.io? I did.
I spent some time to playing with my web server (Lighttpd) trying to set up more secure configuration and now my site have "A" score so I can to share with you how to reach this result.

On Lighttpd (don't forget to switch on mod_setenv):

Code: Select all

setenv.add-response-header  = (
	"Strict-Transport-Security" => "max-age=15768000",
	"Content-Security-Policy" => "default-src 'self'; script-src 'unsafe-inline' https://www.google-analytics.com https://mc.yandex.ru 'self'; style-src 'unsafe-inline' https://fonts.googleapis.com 'self'; font-src https://fonts.gstatic.com 'self'; connect-src https://mc.yandex.ru 'self'; img-src https://www.google-analytics.com https://mc.yandex.ru 'self'",
	"X-Content-Type-Options" => "nosniff",
	"X-Frame-Options" => "DENY",
	"X-XSS-Protection" => "1; mode=block"
)
On Nginx:

Code: Select all

add_header Strict-Transport-Security "max-age=15768000" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline' https://www.google-analytics.com https://mc.yandex.ru 'self'; style-src 'unsafe-inline' https://fonts.googleapis.com 'self'; font-src https://fonts.gstatic.com 'self'; connect-src https://mc.yandex.ru 'self'; img-src https://www.google-analytics.com https://mc.yandex.ru 'self'" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
On Apache

Code: Select all

Header always set Strict-Transport-Security "max-age=15768000";
Header always set Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline' https://www.google-analytics.com https://mc.yandex.ru 'self'; style-src 'unsafe-inline' https://fonts.googleapis.com 'self'; font-src https://fonts.gstatic.com 'self'; connect-src https://mc.yandex.ru 'self'; img-src https://www.google-analytics.com https://mc.yandex.ru 'self'";
Header always set X-Content-Type-Options "nosniff";
Header always set X-Frame-Options "DENY";
Header always set X-XSS-Protection "1; mode=block";
I using Google Tools and Yandex Tools plugins so my Content-Security-Policy HTTP header contains links to they external resources. If you don't using it just remove script-src, connect-src and img-src fields. If you are using external image loading just add URL to img-src.
Additional details can be found at Schott Helme blog.

Re: Securing your Bludit site with HTTP

Posted: Thu Oct 06, 2016 11:45 pm
by diego

Re: Securing your Bludit site with HTTP

Posted: Fri Oct 07, 2016 12:21 am
by mxm
:lol: Yes, we know that "Google can't be wrong"

Here is a string for Content-Security-Policy if you are using Disqus and AddToAny plugins:

Code: Select all

"default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com https://mc.yandex.ru https://static.addtoany.com https://*.disqus.com https://*.disquscdn.com 'self'; style-src 'unsafe-inline' https://fonts.googleapis.com https://static.addtoany.com https://*.disquscdn.com 'self'; font-src https://fonts.gstatic.com 'self'; connect-src https://mc.yandex.ru https://links.services.disqus.com 'self'; img-src https://www.google-analytics.com https://mc.yandex.ru https://static.addtoany.com data: https://*.disquscdn.com https://referrer.disqus.com 'self'; frame-src https://static.addtoany.com https://disqus.com 'self'

Re: Securing your Bludit site with HTTP

Posted: Wed Mar 21, 2018 4:02 pm
by BlakesHeaven
Hello, I've just scanned my site running Bludit v2.2.1 (yep going to upgrade soon) and after scanning it on https://securityheaders.io I got a score of "F" :(

It lost marks on the following missing headers:
  • Content-Security-Policy
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Referrer-Policy
Is there a plug-in that will harden the headers of Bludit or is this something each person must do for themselves.
Is it possible for the core program to be strengthened?

Do I put the code in between <head> and </head> somewhere or is it a server side setting or what?
If this code can go in a plug-in how might that be done to be forced into the <head> section?

BTW - My website is hosted on Apache and HTTPS is not an option at the moment.

Re: Securing your Bludit site with HTTP

Posted: Sat Mar 24, 2018 6:31 pm
by Edi
I will check with this tool.
BlakesHeaven wrote: Wed Mar 21, 2018 4:02 pm BTW - My website is hosted on Apache and HTTPS is not an option at the moment.
There is no excuse for not using https! Starting July 2018 Google will flag websites without SSL certificates as insecure. There is a lot of information about this, for example here:

https://www.theverge.com/2018/2/8/16991 ... yption-ssl

Also SSL is a ranking factor.

Re: Securing your Bludit site with HTTP

Posted: Sat Mar 24, 2018 6:36 pm
by diego
BlakesHeaven wrote: Wed Mar 21, 2018 4:02 pm Hello, I've just scanned my site running Bludit v2.2.1 (yep going to upgrade soon) and after scanning it on https://securityheaders.io I got a score of "F" :(

It lost marks on the following missing headers:
  • Content-Security-Policy
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Referrer-Policy
Is there a plug-in that will harden the headers of Bludit or is this something each person must do for themselves.
Is it possible for the core program to be strengthened?

Do I put the code in between <head> and </head> somewhere or is it a server side setting or what?
If this code can go in a plug-in how might that be done to be forced into the <head> section?

BTW - My website is hosted on Apache and HTTPS is not an option at the moment.
Hi,
you need to configure your Apache web server with the headers.

The headers checked by that page are different things to the meta tags defined in <head> of the html code.

Regards
Diego

Re: Securing your Bludit site with HTTP

Posted: Mon Apr 02, 2018 8:52 pm
by bdavis
diego wrote: Sat Mar 24, 2018 6:36 pm Hi,
you need to configure your Apache web server with the headers.

The headers checked by that page are different things to the meta tags defined in <head> of the html code.

Regards
Diego
Mostly true Diego but you can specify the Content-Security-Policy in a meta tag inside the header.

This can be the best way to go as one server may host more than one website, with more than one html header which may pull in resources from more than one pool.

Putting this in the meta allows you to tailor that specific project to your exact needs.

I might rustle myself up a quick and dirty plugin for just this.

Re: Securing your Bludit site with HTTP

Posted: Sun Jun 03, 2018 11:46 pm
by BlakesHeaven
bdavis wrote: Mon Apr 02, 2018 8:52 pm ... you can specify the Content-Security-Policy in a meta tag inside the header.

This can be the best way to go as one server may host more than one website, with more than one HTML header which may pull in resources from more than one pool.

Putting this in the meta allows you to tailor that specific project to your exact needs.

I might rustle myself up a quick and dirty plugin for just this.
Hi B Davis, did you get anywhere with this plugin?
Also, a post back to this post with the meta tag code you would suggest putting in the header would be fantastic. Then I can add it to my own theme I am working on. :P

Re: Securing your Bludit site with HTTP

Posted: Mon Jun 04, 2018 12:21 am
by Edi
As Diego explained the CSP normally is handled by the server.

Adding a meta tag is another possibility. You can add it to your theme without a plugin:

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP